[noise] Draft extension: Ephemeral key obfuscation
Justin Cormack
justin at specialbusservice.com
Mon May 28 03:53:26 PDT 2018
This kind of seems complicated, and IV reuse would be a problem?
On 28 May 2018 at 06:18, str4d <str4d at i2pmail.org> wrote:
> - aesobfse: Obfuscation using AES256-CBC with a pre-shared key and IV.
> - Fast, but requires a pre-message pattern for the responder (being
> the party that needs to successfully decode first).
> - Compatible with any DH type.
> - The encoded byte stream is the encryption of the regular encoding of
> the DH key, with arbitrary (ignored) data appended to round to a
> multiple of 16 bytes.
> - No padding mode is applied (so if the key is already a multiple of
> 16 bytes in length, no additional block is appended).
> - The last ciphertext block of the previous ephemeral in the handshake
> pattern is used as the IV for the next ephemeral (i.e. treating the
> ephemerals as a single plaintext stream).
> - [Meta-note: I'd love to hear alternative suggestions for a fast
> obfuscation mechanism.]
Why not something along the lines of (a) require use of a Noise
pattern with a psk0,
(b) add an eg 32 bit nonce token which sends a nonce that random, and
indistinguishable
from noise, then (c) this then allows e to be encrypted via an extra
flag in state. I think
something along these lines might work, using the same encryption
primitives? Currently
psk encryption uses e as the nonce but an explicit random nonce in the
transport stream
should work as well if you enforce psk, nonce, e, ... as the ordering.
Justin
More information about the Noise
mailing list